As New Zealand businesses rapidly adopt AI assistants, copilots, and agentic workflows, prompt injection has emerged as one of the most significant new attack surfaces. Google's latest research into real-world prompt injection activity confirms what defenders have suspected: attackers are now actively embedding malicious instructions in web content, emails, and documents to hijack AI systems that consume them. For Kiwi organisations integrating AI into customer service, productivity, and security operations, this is no longer a theoretical risk.

What This Means

Prompt injection works by smuggling adversarial instructions into content that an AI model will later process — a webpage, a PDF attachment, a calendar invite, a support ticket. When the AI ingests that content, it can be tricked into ignoring its original instructions and instead exfiltrating data, taking unauthorised actions, or producing manipulated output. Google's findings show this technique is moving out of research labs and into opportunistic, in-the-wild use across the open web.

The risk is amplified by agentic AI — systems that can read, decide, and act on a user's behalf. An AI agent that browses the web, reads emails, or queries internal documents on behalf of a staff member can be coerced into leaking sensitive information or executing harmful workflows simply by encountering attacker-controlled content. The trust boundary has shifted: any data the AI consumes is now potentially adversarial input.

Google highlights layered defences as the only viable approach — input sanitisation, output filtering, model-level safeguards, and strict permission scoping for agentic actions. There is no single fix, and detection is hard because malicious prompts often look like normal text. This means governance, monitoring, and least-privilege design are essential whenever AI is connected to business data or systems.

For NZ organisations, the implications cut across two fronts: securing the AI tools you build or deploy, and governing the AI tools your staff already use (often without IT's knowledge). Shadow AI usage dramatically increases exposure, because every unsanctioned tool is another channel for injection-based attacks.

Key Takeaways

  • Prompt injection is now an observed, real-world threat — not just a research concern.

  • Any external content an AI processes (web pages, emails, documents) is a potential attack vector.

  • Agentic AI systems with tool access dramatically raise the impact of a successful injection.

  • Defences must be layered: no single control reliably blocks prompt injection.

  • Shadow AI and unsanctioned GenAI tools are a major and often unmanaged risk.

  • Visibility into how staff use AI is now a core security requirement.

What NZ Businesses Should Do

  1. Inventory AI usage across the business. Identify which AI tools, copilots, and agents staff are using, what data they access, and what actions they can take. Use AI Secure Access to discover and govern GenAI and shadow AI usage in your environment.

  2. Apply least privilege to AI agents. Restrict what data AI assistants can read and what actions they can perform autonomously. Treat AI accounts with the same rigour as any privileged identity, and monitor them through Trend Vision One™ Identity Security.

  3. Treat AI-ingested content as untrusted input. Validate and sanitise data flowing into AI workflows, and log AI inputs and outputs for review. Integrate this telemetry into Trend Vision One™ SecOps so prompt-injection indicators can be correlated with broader threat activity.

  4. Continuously assess AI-related exposure. Use Trend Vision One™ Cyber Risk Exposure Management (CREM) to surface AI-connected assets, integrations, and data flows that expand your attack surface.

  5. Educate staff and update AUPs. Make clear which AI tools are sanctioned, the risks of pasting sensitive data into public LLMs, and how to report suspicious AI behaviour.

Source: Read the full article on Google Security Blog